Richard Bejtlich's blog on digital security, strategic thought, and military history.

Sunday, April 13, 2008

Solera V2P Tap

It looks like Solera Networks built a virtual tap, as I hoped someone would. I mentioned it to Solera when I visited them last year, so I'm glad to see someone built it. I told them it would be helpful for someone to create a way for virtual switches to export traffic from the VM environment to a physical environment, so that a NSM sensor could watch traffic as it would when connected to a physical tap.

This picture describes what it does:

You can read more in this news post and product description. You can download it here. The V2P Tap requires ESX Server, which I do not run. If someone with ESX Server downloads the V2P Tap, please let me know how it works for you.

It was not difficult to install. Configuring is another story. the dsfs kernel module is not loading likely due to a licensing issue. At least this is what the web interface says. The little documentation they supply says nothing about a license and one was not supplied with the download.

Can anyone assess the overall system load by using this virtual tap to send out traffic? I've seen in a VMware ESX workload analysis presentation that both disk and network I/O impose the highest virtualization overhead. So if the soft tap is sending out a lot of traffic then system resources on the physical host may become overly taxed.

There is a fix posted on Solera Networks site to update the .vmx file you can download it directly here: http://www.soleranetworks.com/downloads/v2pfix.zip there is also a new package with detailed installation instructions available here: http://www.soleranetworks.com/products/virtual-tap-download.php